IBM development package can boost mobile app security

Applications are the Achilles’ heel of government mobile device programs. They are a vital and growing component of agencies’ future IT use, but they also present a number of attack vectors into government networks.

IBM is offering a more baked-in approach to mobile app security, with the release of a software portfolio that can help organizations building applications integrate mobile security testing across an application’s life cycle.

The AppScan system lets organizations test their own Android applications, IBM officials said. Previously, to test the security of mobile applications, organizations usually had to send their applications and software intellectual property to an off-site vendor to test for vulnerabilities.

This process does not scale and is too slow to meet the pace of revisions and updates that mobile applications constantly undergo. Organizations need to set up in-house mobile applications security testing early in the software development life cycle, IBM officials said.

Besides testing mobile applications, the IBM portfolio offers a number of other capabilities:

Integration with IBM's QRadar Security Intelligence Platform for increased security intelligence when an application moves into production. QRadar automatically raises or lowers the priority score of security incidents by correlating known application vulnerabilities with user and network activity.

A new Cross Site Scripting analyzer that can quickly evaluate millions of potential tests from less than 20 core tests, allowing it to find more XSS vulnerabilities faster than previous versions of AppScan.

Predefined and customizable templates that give development teams the ability to quickly focus on a rule set prioritized by their security teams, helping agencies focus on key organizationwide issues.

AppScan also integrates with IBM Security Network IPS and IBM Security SiteProtector and is sold as a regular component of IBM Guardium and IBM Security Access Management systems for end-to-end application security.